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O ■ Abstract 

^N I Generation of pseudo random sequences by cellular automata, as well as by hy- 

brid cellular automata is surveyed. An application to the fast evaluation and FPGA 
implementation of some classes of boolean functions is sketched out. 

CN ■ Introduction 

Cellular Automata (CA) is a popular model of finite state machine with some pretention 
to generality and universality. Pseudo Random Sequences (PRS) on the other hand, 
have a long history of applications to computational (Monte Carlo sampling, numerical 
jyl ' simulation) and comunications problems (coding theory, streamciphers). In that context 

O . the popular model is the Linear Feedback Shift Register (LFSR), another model of 

linear finite state machine. 

In the present work we survey the known attempts to generate PRS by CA. We 
^ ' give an account of the synthesis of LFSR by arrays of variable CA (known as hybrid 

^•f^ , CA or HCA). We sketch an application to the evaluation of boolean functions in n 

variables which are related to cyclic codes of length 2" — 1. This is aimed at VLSI 
implementation, especially by programmable arrays. 

The material is organized as follows. Section 1 collects definitions and basic no- 
tions on PRS, CA and HCA. Section 2 reviews the synthesis theory of LFSR by HCA. 
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QQ ' Section 3 surveys the generation of PRS by elementary CA. Section 4 surveys the gener- 

C^ , ation of PRS by HCA. Section 5 contains the application of synthesis theory to boolean 

functions evaluation. 
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1 Notations and definitions 

1.1 (Pseudo-)randomness 

This section recalls the classical definitions of pseudo-randomness. We first give an 
intuitive statement which gives the difference between real randomness and pseudo- 
randomness. We then introduce more formal definitions of pseudo-randomness. 
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In [20], Wolfram describes three mechanisms responsible for random behavior in 
systems: (1) Randomness from physics like brownian motion; (2) Randomness from the 
initial conditions which is studied by chaos theory; and (3) Randomness by design, 
also called pseudo-randomness used in pseudo-random sequences generators. Many 
algorithms generate pseudo-random sequences. The behavior of the system is fully de- 
termined by knowing the seed and the algorithm used. They are quicker methods than 
getting "true" randomness from the environment, inaccessible for computers. 

The applications of randomness have led to many different methods for generating 
random data. These methods may vary as to how unpredictable or statistically random 
they are, and how quickly they can generate random sequences. Before the advent of 
computational PRS, generating large amount of sufficiently random numbers (important 
in statistics and physical experimentation) required a lot of work. Results would some- 
times be collected and distributed as random number tables or even CD iso-images. 

More formally, a pseudo-random sequence (PRS for short) can be defined as: 

Definition 1. A sequence is pseudo-random if it cannot be distinguished from a truly 
random sequence by any efficient (polynomial time) procedure or circuit. 

Theorem 1 ([2]). A sequence is pseudo-random iff it is next-bit unpredictable. 

Theorem 1 claims that for pseudo-random sequences, even if we know all the history, 
we don't have any information on the next bit. Theorem 1 was proved equivalent to: 

Theorem 2 ([22]). A PRS generator G passes Yao 's test if for any family of circuits F 
with a polynomial number of gates for computing a statistical test, G passes F. 



1.2 Cellular automata 

In this section, we recall several definitions of cellular automata (CA). We focus on 
elementary cellular automata rules which restrict the set of the states to be F2. A cellular 
automaton is generally a bi-infinite array of identical cells which evolve synchronously 
and in parallel according to a local transition function. The cells can only communicate 
with their nearest neighbors. Here, we will concentrate on two finite restrictions of CA: 

- cyclic: a ring of N cells indexed by Zat. 

- null boundary: an array of N cells in which both extremal cells are fed with zeroes. 

All the cells are finite state machines with a finite number of states and a transition 
function which gives the new state of a cell according to its current state and the current 
states of its nearest neighbors. 

Definition 2. A cellular automaton is a finite array of cells. Each cell is a finite state 
machine C = {Q, /) where Q is a finite set of states and f a mapping f : Q^ -^ Q. 



The mapping /, called local transition function, has the following meaning: the state 
of cell i at time i + 1 (denoted by xl^^) depends upon the state of cells i — I, i and 
i + 1 at time t (the neighborhood of cell i of radius 1). Fig. 1 illustrates one transition 
of a cellular automaton with 8 cells. The following equality rules the dynamics of the 
cellular automaton: 
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Fig. 1. Transition of a cell (rule 30); cyclic CA. 

For a fixed t, the sequence of all the values xj for i £ Z^v , is the configuration at time 
t. It is a mapping c which assigns a state of Q to each cell of the cellular automaton. 
The sequence of configurations as pictured by Fig. 2 is called a time-space diagram. 
Fig. 2 depicts the evolution of a ring with iV = 8 cells. On the top of Fig. 2, we have 
depicted rule 30 with each transition illustrated by three adjacent squares representing 
the different preimages of / and on the bottom, their image by /. A (resp. 1) is 
painted white (resp. black). On the bottom of Fig. 2, we see the time-space diagram of 
the cellular automaton from the initial configuration at time t = to time t = 7. 



2 LFSR synthesis by HCA 

We will restrict ourselves to the case where Q = F2 and / is a Boolean predicate with 

3 variables, an elementary rule. These CA have been considered in [19]: there are 256 
different binary CA and a natural number can be associated to each rule as follows: 
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The top line gives all possible preimages for / and the bottom line the images by /. 
Thus, / is fully specified by the 8-bit number written on the bottom line (00011110 
in our example) which can be translated in basis 10 and then called the rule of the 
cellular automaton (as rule number 30 here). Equivalently, this rule can be considered 
as a Boolean function with (at most) 3 variables. Taking rule 30 again, its corresponding 
Boolean function is: x\^^ = x\_i © {x\ V a;*^^) with © denoting the Boolean XOR 
function and V the classical Boolean OR function. Its equivalent formulation in F2 is: 
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Fig. 2. Evolution of CA30 on a ring with iV = 8 cells. 



Equivalent rules Since we are dealing with pseudo-random generators, some of the 
elementary rules are equivalent by three transformations, all introduced by Wolfram 
in [19, p. 492]. We first introduce some notation: let us denote by w the mirror image of 
the finite binary word w = wi . . . Wn, w = Wn ■ ■ -Wi and by w the word obtained from 
w by exchanging the O's by I's (and conversely) W = wi . . . W^. The first transforma- 
tion is the conjugation which interchanges the roles of and 1 . It takes as an input r, the 
binary representation of a rule and returns f. For instance, the conjugation transforms 
rule 30 into rule 135. The second transformation, called reflection gives a re-ordering of 
the bits of r. Each bit fr{xi-i,Xi,Xi+i) is replaced by the value of /^(cci+i, Xi, Xi-i) 
(the mirror image of Xi-iXiXi+i) and leads to a re-ordering of the bits of r, the binary 
representation of the rule. As an example, by reflection, rule 30 is changed into rule 86. 
The last transformation combines boths and is called conjugation-reflection; it changes 
rule 30 into rule 149. All of these transformations keep the Walsh-Hadamard transform 
values of the cellular automata dynamics and are thus statistically equivalent. 

2.1 Hybrid Cellular Automata 

In the sequel, we will consider the case where different cells of the CA can use different 
rules. This model is called hybrid and will be denoted by HCA for short. In the context 
of sequence generation, several authors have considered this extension of the model of 
CA [4, 13, 15]. We will focus on linear HCA (LHCA) which is used by [4]. 



Linear hybrid cellular automata In [14,4], Muzio et al. consider null-boundary hy- 
brid CA which only use two rules: rule 90 and 150. In this case, a CA is fully specified 
by which cells use rule 90 and which use rule 150. This information is summarized 

■ ■ , , r r , , , 1 ■ ■ , f if cell i uses rule 90 

m the rule vector M — dn, a^,..., un-^ such that a, = <-,.„ ... , , ^^ ■ 

^ "' ' ' ^ 11 if cell I uses rule 150 
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Given M, its reversal is M's mirror image: [d-N-i, • • ■ , di, do]- We also define the sub- 
vector Mi,j — [di, . . . , dj] with i < j which also represents a submachine of the HCA 
consisting of cells i through j. 

The encoding of rules 90 and 150 into zero and one, resp., means that equation (1) 
can be rewritten in F2 as x*^"^ = fi{xl_-^,xl,xl^-^) — x\_-^ + dix\ + x\j^-^. We de- 
fine the state of a HCA at time t to be the n-tuple formed from the state of the cells: 
x* = [x\,x\^ . . . , a;^_]^]^ (the superscript ^ denotes the transpose). Then, the next 
state function of the HCA is computed as x*+^ — /(x*). Since each fi is linear, / is 
also linear and an endomorphism of ¥2 ■ Linearity implies the existence of a matrix A 
such that x*+^ ~ fi^^) ^ A ■ x*. The HCA transition matrix plays the same role as an 
LFSR transition matrix. A is tridiagonal. 
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Let us denote by A the characteristic polynomial of A, that is Z\ =| xld — A |. 

Definition 3. [4] A polynomial p is said to be a HCA polynomial if it is the character- 
istic polynomial of some HCA. 

Recall that M^ j is the HCA consisting of cells i through j and denote Ai,j its corre- 
sponding characteristic polynomial. When i = 0, we simply write Mk (resp. At) for 
the CA consisting of cells to fc (resp. its corresponding characteristic polynomial). 
Cattell and Muzio [4] proved that At satisfies a recurrence relation: 

Theorems. [4] Ak satisfies the reccurrence: Z\_2 = 0, Zi_i = 1, Ak = (x + 
dk)Ak-i+Ak-2fork>{). 

Theorem 3 provides an efficient algorithm to compute Am-i the characteristic poly- 
nomial of a HCA from its rule vector M. Actually, this recurrence relation is related 
to Euclidean GCD algorithm on polynomials with Ak as the dividend, Ak-i as the 
divisor, x -I- dfc as the quotient and Ak-2 as the remainder. Applying Euclid's extended 
greatest division algorithm yields to the sequence of quotients whose constant terms are 
the mirror image of the rule vector. This comes from: 

Lemma 1. [4] Let p G F2[x] and q G IF2M of respective degrees n and n — 1. Then 
there exists a HCA with characteristic polynomial p and characteristic subpolynomial 
q if and only if applying Euclid's greatest division algorithm to p and q results in n 
degree one quotients. 



Thus Z\jv-i and An^2 determine the whole HCA. But in general, a characteristic 
polynomial isn't sufficient to uniquely determine the HCA. Just consider the follow- 
ing counter-example: [0, 0, 1, 0,0,0] ^ x^ + x^ + x^ + x^ + 1 ^ [1, 1, 0, 1, 1, 1] 

To uniquely determine the HCA, we must know one more characteristic subpolyno- 
mial Z\i AT-i and use theorem 4: 

Theorem 4 (HCA quadratic congruence [4]). Suppose we have a HCA with charac- 
teristic polynomial A^ ^i and characteristic subpolynomials An ^2 and Ai^n^i. Then 
bothy = Ai^-2 andy — Z\i^jv-i satisfy the congruence: y'^ -\-{x^ -\-x)A'j^_^y+l = 
mod Ajq-i where A'j^_-^ is the formal derivative of Aj^-i in ¥2- 

By combining Lemma 1 and Theorem 4, Cattell and Muzio give a characterization of 
HCA polynomials and give an algorithm for finding a HCA given a polynomial. Their 
method has been recently improved in [7]. 

Corollary 1. Let p G F2 [x] of degree n. Then p is a HCA polynomial if and only if for 
some solution qfory of the congruence 

y^ + {x^ + x)p'y + 1 = mod p (2) 

Euclid's greatest division algorithm on p and q results in n degree one quotients. 

Theorem 4 has some weaknesses: it does not say neither that polynomials solutions to 
the quadratic congruence will be subpolynomials of ZiAr-i nor that non HCA polyno- 
mials won't have solutions to the quadratic congruence. Theorem 4 only gives neces- 
sary conditions for HCA polynomials: they have solutions to the quadratic congruence 
and that some of these solutions are subpolynomials. However, Theorem 4 is useful for 
irreducible polynomials: 

Theorems. Ifp G ^2(2;] is an irreducible polynomial of degree n, then equation (2) 
has exactly two solutions, both of which result in n degree one quotients. 

Corollary 2. If p ^ ¥2[x\ is an irreducible polynomial, then p has exactly two HCA 
realizations with one being the reversal of the other 

Since one can build a HCA from an irreducible polynomial and represent it by 
its transition matrix, we can ask which is the relationship between LHCA and LFSR. 
If both are based on the same irreducible or primitive polynomial, they have the same 
behavior up to permutation of the order in which the states appear and the cycle structure 
of the states is identical. A similarity transform between LHCA and LFSR has been 
given in [5] and recently improved in [8]. 



3 PRS generation by CA 

In [17, 18], Wolfram uses a one-dimensional cellular automaton for pseudo-random bit 
generation by selecting the values taken by a single cell when iterating the computation 
of rule 30 from an initial finite configuration where the cells are arranged on a ring of 
A^ cells. Mathematically, Wolfram claims the sequence {xl}t>o is pseudo-random for 
a given i. Wolfram extensively studied this particular rule, demonstrating its suitability 
as a high performance randomizer which can be efficiently implemented in parallel; 
indeed, this is one of the pseudo-random generators which was shipped with the con- 
nection machine CM2 and which is currently used in the Mathematica® software. 

Unfortunately, this PRG is not suitable for cryptographic purpose. In [12], Meier 
and Staffelbach proposed a correlation attack to reverse the PRS generated by rule 30 
although it passes classical statistical tests like the ones proposed in [9]. 

More recently, in [ 1 1 ] , we have used a Walsh transform to explore the set of the 256 
elementary rules. The Walsh transform is a well-known tool in the field of cryptology 
for studying the correlation-immunity of Boolean functions: Xiao and Massey [21] have 
characterized the notion of correlation-immunity with the Walsh transform. We have 
applied this technique to the pseudo-random sequences generated by all of the 256 
binary rules and we provide evidence that there does not exist a non-linear rule which 
generates a correlation-immune pseudo-random sequence. Thus, we state Theorem 6. 

Theorem 6. [11] There is no non-linear correlation-immune elementary CA. 

And, according to Theorem 2, we can state that: 

Corollary 3. There is no elementary CA which can serve as PRS generator 

So, does Theorem 6 annihilate any hope to design a good PRG by the means of CA? 
Not necessarily. Next section recalls the approach initiated by Tomassini and Sipper and 
section 5 describe another way of generating PRS with LHCA. 

4 PRS generation by HCA 

4.1 The cellular programming approach 

Tomassini and Sipper [15] proposed to use HCA for generating better PRS. In this 
model, the rules are obtained by an evolutionary approach (a genetic algorithm). They 
have designed a cellular programming algorithm for cellular automata to perform com- 
putations, and have applied it to the evolution of pseudo-random sequence generators. 

Their genetic algorithm uses Koza's entropy Eh = — 2Zj=i Phj log2 Phj where k de- 
notes the number of possible values per sequence position, h a subsequence length 
and pfi is a measured probability of occurrence of a sequence hj in a pseudo-random 



sequence. It measures the entropy for the set of k^ probabilities of the fc'' possible 
subsequences of length h. The entropy achieves its maximal value Eh = h when the 
probabilities of the k^ possible sequences of length h are all equal to l/£^, where ^'' 
denotes a number of possible states of each sequence. They have selected four rules of 
radius 1 for use in non-uniform cellular automata. The best rules selected by the genetic 
algorithm were rules 90, 105, 150 and 165 (which are all linear, a clear drawback). 

A series of tests (including x^ test, serial correlation coefficient, entropy and Monte 
Carlo, but no correlation-immunity analysis) were made with good results, showing 
that co-evolving generators are at least as good as the best available CA randomizer. 
The authors also use elementary rules which we proved to be not correlation-immune. 
This was further investigated in [13]. 

Following the same kind of approach, Seredynski et al. in [13] have generalized the 
selection process to radius 2 rules. They use then both radius 1 and radius 2 rules in 
hybrid cellular automata. The rules selected by their genetic algorithm were 30, 86, 101 
and 869020563, 1047380370, 1436194405, 1436965290, 1705400746, 1815843780, 
2084275140 and 2592765285. 

Their new set of rules was tested by a number of statistical tests required by the 
FIPS 140-2 standard [16] but no correlation-immunity analysis was made either. 



4.2 The synthesis approach 

This approach follows the synthesis algorithm proposed in [4]. They propose a method 
for the synthesis of a HC A from a given irreducible polynomial over F2 . The same prob- 
lem for LFSR is well known as it can be directly obtained from the transition matrix. 
Furthermore, there is a one to one correspondence between LFSR's and polynomials. 
For CA, in general, a characteristic polynomial is not sufficient to uniquely determine 
the CA from which it was computed. 

If we consider the characteristic polynomial A of the HCA (assumed to be 
irreducible), with a a root in ¥2^- All n roots of A lie in ¥2^. The roots 
a, a^ , a^ , . . . , a^ are distinct and A can be factored in F2" as (x — a) (x — a^ ) (x — 
a^ ) . . . (x — a^" ). 



Product of irreducibles Given p and q two irreducible characteristic polynomials and 
P and Q their respective transition matrix, on can build the transition matrix corre- 
sponding to p ■ q. It can be defined by blocks as: {qq)- This operation corresponds 
to the concatenation of LHCA [6]. They quoted that it permits to concatenate primitive 
machines for forming machines of much longer lengths. 



5 Application: boolean functions evaluation 

There is a well-known dictionary between, on the one hand, boolean functions in n 
variables, and binary sequences of period 2". More specifically, if / is such a function, 
and if we denote by i the base 2 expansion of i we can define a sequence by the rule 
Sf{i) = /(!), fori < 2"- 1. 

Many interesting boolean functions can be cast under the form f(x) = Tr{ax + 
bx^), where a, b are scalars of the extension field F2i« and Tr the trace function from 
¥2^ down to F2. In the case where n is odd and the Walsh Hadamard transform takes 
only three values they are the so-called plateaued boolean function of order n — 1 [23] 
also known as almost optimal or semi-bent. 

They are the traces of so-called almost bent AB functions [3]. For monomials AB 
functions, the most famous exponents s are in the conjecturally exhaustive list of Gold, 
Kasami, Welch, Niho (see Table 1). In all these cases, an upshot of the theory of 
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s 


Condition 


Gold 
Kasami 
Welch 

Niho 


2' + l 
22' _ 2' + 1 

2(m-i)/2^3 

2^'- + 2'- - 1 


iA7n = l,l<i< m/2 
iAm, = l,l<i< m/2 

r = f/2 for t even 
r = (3t + l)/2 fort odd 
with l<r<m = 2t + l 



Table 1. Exponents of AB monomials. 

Mattson-Solomon polynomials [10, p. 249] is that the parity check polynomials of the 
attached cyclic codes (or, essentially, the connection polynomial of the LFSR) is of the 
form TOq,TOq,» , where a generates F2n over F2. A fast algorithm to compute the minimal 
polynomials of elements in finite field extensions is given in [ 1 ] . 

6 Conclusion 



We have used the synthesis approach to give an effective CA-realization of classical 
pseudo-random sequences of cryptographic quality. The main interest of this work 
would be to give an hardware implementation. The target hardware model of CAs is 
the Field Programmable Gate Arrays (known as FPGAs). FPGAs are now a popular 
implementation style for digital logic systems and subsystems. These devices consist of 
an array of uncommitted logic gates whose function and interconnection is determined 
by downloading information to the device. When the programming configuration is held 
in static RAM, the logic function implemented by those FPGAs can be dynamically re- 
configured in fractions of a second by rewriting the configuration memory contents. 
Thus, the use of FPGAs can speed up the computation done by the cellular automata. 
Putting all together allows high-rate pseudo-random generation of good quality. 
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